Electronic health information and privacy

December 14, 2012

Hackers have grabbed the details of an estimated 500,000 credit cards in Australia after hacking into the poorly secured database of an unnamed business in what police have labelled a "disaster waiting to happen".

The attacked could result in up to $25 million worth of fraudulent transactions, Detective Superintendent Brad Marden told SC Magazine, and it is believed that the perpetrators are part of a active Eastern European criminal syndicate.

The group has previous and is said to be responsible for a 2011 attack on a Subway chain last year that affected 80,000 customers.

This time the effects are considerably wider.

The group is said to have taken advantage of a basic security set-up that the retailer was using to hold its data.

Marden explained that "the network was set up by some local suppliers who didn't understand IT security."

The syndicate captured credit card details using keyloggers installed within Point of Sale (POS) terminals and siphoned the data through an insecure open Microsoft's Remote Desktop Protocol (RDP) connection.

Police say they are closing in on the gang in relation to its latest activity but, for now, Australian banks are on "high alert" in expectation that the card details will be sold off to third parties and other criminal elements.

The incident comes less than a month after Korea's KT Telecom revealed that hackers had grabbed data from some 8.7 million customers.

The operator revealed that the details were sold on to telemarketing firms during a five-month long campaign.

October 11, 2012

A weak password is to blame for the hacking of a Utah Department of Technology Services server containing patients' Social Security numbers and data on children's health plans.

On March 30 a hacker from Eastern Europe illegally accessed a Utah Department of Technology Services (DTS) server containing Social Security numbers for the Medicaid claims.

DTS provides technology services to Utah state agencies.

The breach involved both Medicaid patients as well as recipients of Children's Health Insurance Plan, which provides insurance coverage for children without other health insurance and who meet income guidelines.

The Utah Department of Health initially believed that 24,000 claims had been accessed, but that number is now about 780,000, according to UDOH.

The department then reported that 280,000 people had their Social Security numbers stolen and about 500,000 others had less-sensitive personal data, such as name, date of birth and address, compromised.

Outside firms hired by the UDOH and the Utah Department of Administrative Services (DAS) will conduct a forensic analysis to identify victims.

"Individuals provide sensitive personal information to the government in a relationship of trust," Herbert said in a statement.

"It is tragic that not only data was breached, but now individual trust is also compromised."

These servers also typically store names of physicians, national provider identifiers, addresses, tax identification numbers and procedure codes for billing, according to UDOH.

DTS reports that its servers are multilayered with security controls for perimeter, network, application, data security and identity management.

"All servers in the state are required to have secure passwords."

Despite these requirements, passwords in general are rarely changed for "privileged" accounts, according to Adam Bosnian, executive vice president, Americas and corporate development at Cyber-Ark Software, an identity-management vendor.

"Despite controlling access to an organization's sensitive data assets, these shared accounts simply do not have the same security standards applied to them," said Bosnian.

"Because these types of privileged accounts can act as a gateway to an organization's most sensitive data and information assets, they've emerged as the primary target for hackers," said Bosnian.

"DTS is doing everything they can to restore security," Governor Herbert said.

September 11, 2012

The B.C. government announced Thursday it has suspended all drugrelated research and fired four of its employees as part of an investigation into the alleged misuse of confidential medical information.

On Thursday, The Vancouver Sun reported that seven government employees had been suspended without pay, and that agreements with two contractors had been dropped.

She said her ministry has suspended $4 million in drugrelated research contracts, including work being done at both the University of B.C. and the University of Victoria.

"This is research that we contract with certain research entities, and that has all been stopped for the moment until we're sure going forward that no health information is being shared inappropriately," she said.

Hiring an independent consultant to review and enhance data security measures MacDiarmid took over as health minister in a cabinet shuffle Wednesday and said she was shocked to hear of the allegations.

"It is my understanding that it was personal data, that it is regarding medications, but that there is personal data included in that," she said.

"It would appear that some of the people that were involved had relationships with others that would put them into a conflict that wasn't declared," she said, adding a family relationship was among the issues.

MacDiarmid also said the motivations for the alleged misconduct remains unclear, noting that so far investigators have not uncovered evidence of any personal financial gain.

The ministry began its recent investigation in May after the auditor general's office relayed an anonymous complaint about contracting irregularities and inappropriate research practices in the ministry's pharmaceutical services division.

The ministry has since involved the RCMP, and last month provided the force with the preliminary results of its internal investigation.

At a media briefing in Victoria on Thursday, reporters were told that suspensions without pay were not a common practice but that the government makes such decisions based on the information available.

VICTORIA --- The B.C. government announced Thursday it has suspended all drug-related research and fired four of its employees as part of an investigation into the alleged misuse of confidential medical information.

On Thursday, The Vancouver Sun reported that seven government employees had been suspended without pay, and that agreements with two contractors had been dropped.

She said her ministry has suspended $4 million in drug-related research contracts, including work being done at both the University of B.C. and the University of Victoria.

"This is research that we contract with certain research entities, and that has all been stopped for the moment until we're sure going forward that no health information is being shared inappropriately," she said.

MacDiarmid took over as health minister in a cabinet shuffle Wednesday and said she was shocked to hear of the allegations.

"It is my understanding that it was personal data, that it is regarding medications, but that there is personal data included in that," she said.

"It would appear that some of the people that were involved had relationships with others that would put them into a conflict that wasn't declared," she said, adding a family relationship was among the issues.

MacDiarmid also said the motivations for the alleged misconduct remains unclear, noting that so far investigators have not uncovered evidence of any personal financial gain.

The ministry began its recent investigation in May after the auditor general's office relayed an anonymous complaint about contracting irregularities and inappropriate research practices in the ministry's pharmaceutical services division.

The ministry has since involved the RCMP, and last month provided the force with the preliminary results of its internal investigation.

At a media briefing in Victoria Thursday, reporters were told that suspensions without pay were not a common practice but that the government makes such decisions based on the information available.

The Harris County Hospital District recently told around 3,000 patients that their personal information, such as Social Security numbers and addresses, could have been stolen by a former employee.

The Houston Chronicle reports that a former employee of the hospital district was indicted in federal court this year in a Medicare kickback scheme involving two home health care operators.

Thomas was also accused of selling patient information to the owner of Jackson Home Healthcare, which then gave this information to others, including Houston Compassionate Care Inc. employees, the Chronicle reports.

August 14, 2012

The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.

Unlike many other data breaches, the hackers made no attempt to keep their presence a secret.

The doctors turned the server off and notified the authorities, refusing to pay.

"This story is so ironic -- most people worry that their health records will be spread all over their local newspaper," said Dorothy Glancy, a professor at Santa Clara University's law school who specializes in digital privacy.

The Surgeons of Lake County isn't the first health care provider to be targeted by extortionists.

The incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry's shift to digital medical records.

Until now, medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved.

Security and privacy risks are also emerging with the creation of "health information exchanges," vast databases that states are setting up to handle electronic medical records.

June 25, 2012

Hundreds of patients who received letters of apology from the SouthWest regional health authority this week are just the latest victims of privacy invasion, something increasingly common in the technological age, says Mike Dull, a lawyer with Wagners Law Firm.

In April, his law firm filed a class action with representative plaintiff Beverly Moore against Capital Health over inappropriate access of medical information.

Moore said her distress is heightened because she doesn't know if the former employee kept or passed on any of the information, which would have included details about her health, employment, social insurance and health card numbers, as well as her husband's.

Revelations of the privacy breach emerged in December when a letter went out to 15 patients at Hants Community Hospital in Windsor, which is in the Capital Health district, to let them know their medical files had been infiltrated by a clerk who booked appointments.

A subsequent wider audit by the health authority uncovered other breaches, which lead to the letters to Moore and others in February.

June 21, 2012

It is well-understood at this point that even basic personalization, like using customers' individual names, can substantially increase open and response rates for physical and digital mail.

"The pursuit of data is really the pursuit of relevant communications," says Dan Kohn, vice president of corporate marketing at Pitney Bowes, which recently conducted a survey of consumers in France, Germany, the U.K. and the U.S. and their feelings about the collection of personal information.

Kohn says that the Pitney Bowes survey found that consumers are aware of the value of their data, and they also value their privacy.

That study concluded that, at best, consumers view such communications as pushy.

In extreme cases, customers feel threatened that companies know so much about them.

Also, a recent McCann Worldwide Group report found that 56 percent of respondents said that when they consider sharing data with a company, a commitment from that company to not share personal information with a third party was of critical importance.

Kohn says that successful marketers must recognize appropriately requesting data and applying it to make customers feel valued is a balancing act.

Inappropriately requesting too much information or applying information in ways not connected to your message can give consumers an uneasy feeling about your brand.

The Pitney Bowes survey found that only 10 percent of respondents were unwilling to share their date of birth, 13 percent were unwilling to share their postal address, 14 percent were unwilling to share their email address and 22 percent were unwilling to share their bank details.

Of these intimate data, consumers are most free with their sexual preferences: only 45 percent of consumers are unwilling to share their sexual preferences.

Political persuasion is the most closely held data: Fully 76 percent of consumers are unwilling to share information about their politics.

"Every marketer must begin with full compliance with all security and privacy regulations in his or her country," Kohn says.

Consumers are looking for a two-way, value-creating conversation, not just an offer."

When it comes to collecting and leveraging Big Data for customer communications, Kohn recommends the following data management steps: "Ensure compliance with all local and federal data regulations and keep up with current legislation.

June 20, 2012

For instance, no one has an absolute right to destroy health information.

All stakeholder groups have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.

Raising the question of ownership at all is a hash argument.

Certain bad arguments work the same way - skim online debates between biologists and earnest ID (Intelligent Design) aficionados armed with talking points if you want a few examples: The talking point on one side is just complex enough that it's both intelligible - even somewhat intuitive - to the layman and sounds as though it might qualify as some kind of insight .

Ownership is a poor starting point for health data because the concept itself doesn't map well to the people and organizations that have relationships with that data Ergo, neither a patient nor a doctor nor the programmer has an "ownership" relationship with patient data.

Ironically, it is neither the patient nor the provider (when I say "provider," this usually means a doctor) who is closest to "owning" the data.

The programmer has the most complete access and the only role with the ability to avoid rules that are enforced automatically by electronic health record (EHR) software.

The real issue is: "What rights do patients have regarding healthcare data that refers to them?"